[GITEA] fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead)
(cherry picked from commit bebc244156)
(cherry picked from commit 2a8cb675ca)
(cherry picked from commit 56d68932ac)
This commit is contained in:
Loïc Dachary 2023-11-12 18:24:56 +01:00 committed by Earl Warren
parent bfd03a9f30
commit 40ecd79294
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -198,11 +198,19 @@ func SoftDeleteContentHistory(ctx *context.Context) {
log.Error("can not get comment for issue content history %v. err=%v", historyID, err) log.Error("can not get comment for issue content history %v. err=%v", historyID, err)
return return
} }
if comment.IssueID != issue.ID {
ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
return
}
} }
if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil { if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
log.Error("can not get issue content history %v. err=%v", historyID, err) log.Error("can not get issue content history %v. err=%v", historyID, err)
return return
} }
if history.IssueID != issue.ID {
ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
return
}
canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history) canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history)
if !canSoftDelete { if !canSoftDelete {